Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
From: Miles Sabin <miles AT milessabin DOT com>
To: cygwin AT cygwin DOT com
Date: Tue, 1 Feb 2005 02:12:46 +0000
User-Agent: KMail/1.6.2
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200502010212.46364.miles@milessabin.com>
X-SA-Exim-Connect-IP: 195.184.234.172
X-SA-Exim-Mail-From: miles AT milessabin DOT com
Subject: SSH and COM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on meinong.milessabin.com
X-Spam-Level: 
X-Spam-Status: No, hits=-4.2 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63
X-SA-Exim-Version: 4.1 (built Wed, 05 Jan 2005 11:09:49 -0500)
X-SA-Exim-Scanned: Yes (on meinong.milessabin.com)
X-IsSubscribed: yes

Hi folks,

My apologies if this question turns out to be more a general Windows 
security issue than something cygwin and ssh specific, but cygwin/ssh 
is the context I'm seeing my problem in and I'm utterly baffled ... any 
insight would be most welcome.

I'm attempting to launch a parallel application on a Win2k cluster using 
cygwin's ssh(d) in conjunction with a simple distributed shell. This 
application uses COM automation to create and manipulate Excel 
instances.

The user domain account on the cluster machines has the appropriate 
privileges to be able to do this (verified by logging into the machines 
as that user via terminal services and launching the application 
manually). However, when logged in via ssh, the privileges appear to be 
sensitive to the user account that the login was _from_.

Specifically,

* With an ssh login from user1 AT workstation to foo AT cluster the launched
  application can successfully create and manipulate Excel instances.

* With an ssh login from user2 AT workstation to foo AT cluster the launched
  application manages to create Excel instances, but fails when
  attempting to manipulate them with a generic 80070005 Access is denied
  error.

The solution is obvious: find out the differences between user1 and 
user2 and bring them into line. Unfortunately (or maybe fortunately ;-) 
that's out of my hands: I'm not an admin at this site and I just have 
to hope that the people who are will be able to deal with it.

What I'd really like to understand, tho', is how this can possibly 
happen. I wasn't aware that the SSH protocol had any mechanism for 
communicating the identity (especially a Windows domain identity) of 
the _originator_ of an ssh connection. Surely the only identity and 
credentials which should be relevant are those of the target account?
What's going on here? Something like the ident protocol?

Any pointers you can give me which I can pass on to the people who are 
in a position to fix the problem would be very much appreciated.

Cheers,


Miles

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/